Notepad++ Subject to Supply Chain Attack for Months

The popular text editor Notepad++ had their infrastructure compromised from about June 2025 to December 2025, allowing the attackers to deliver malicious updates to unsuspecting users.

In their statement, the Notepad++ team states that the vulnerability was in the infrastructure and not in Notepad++ itself. The exact mechanism is under investigation still.

Notepad++ did not provide any indicators of compromise to look out for to determine if you might be affected. They recommend downloading the latest version of the program and manually running the installer to update it. However, earlier today cybersecurity company Rapid7 did release a list of indicators of compromise for teams to check out.

Notepad++ is addressing the issues by migrating to a more secure hosting provider. WinGUP, the updater, has been hardened to verify the certificate and the signature of the downloaded installer. They also are now signing the XML returned by the update server using XMLDSig and the certificate and signature verification will be enforced in a future update.

Security researcher Kevin Beaumont did a write up about a possible avenue of exploitation regarding WinGUP:

The downloads themselves are signed — however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.

In version 8.8.8, the downloads are forced to be from GitHub which is much harder to intercept. Kevin notes the presence of an AutoUpdate.exe, which isn’t part of the legit Notepad++.

According to an analysis by Rapid7, the attack was likely carried out by a Chinese advanced persistent threat (APT) called Lotus Blossom that’s been active since 2009.

The attackers delivered a previously unseen custom backdoor that Rapid7 have dubbed Chrysalis.

They note that there’s no indication that the actual notepad++.exe and GUP.exe were compromised, but they coincided with the execution of a suspicious “update.exe” file downloaded from 95.179.213.0.

The exe file was actually a NSIS installer, which is commonly used by Chinese APT’s to deliver the initial payload.

When the script runs, it creates a new directory called “Bluetooth” in the “%AppData%” folder where the rest of the files will go.

It drops and executes BluetoothServices.exe, which is actually just a renamed legitimate Bitdefender Submission Wizard that’s abused to sideload DLLs.

From there, the malicious log.dll is loaded instead of the legitimate library.

The malware utilized Warbird, an undocumented Microsoft code-obfuscation framework that they designed to make reverse-engineering their DRM more difficult.

This incident shows how even programs assumed trustworthy and innocuous like a text editor are just as likely to be exploited as any other program.

The lack of sandboxing on desktop operating systems also leaves a lot to be desired compared to mobile operating systems like Android and iOS. Sandboxing features exist on macOS and Linux via Flatpak. Windows has win32 App Isolation coming in the future. Developers should make use of the hardening features provided by the operating system as much as possible.

Every operating system these days also provides an App Store that provides a trusted distribution and update mechanism for apps. It would be nice to see more apps distributed via the macOS App Store, Microsoft Store, and Flathub rather than developers trying to have their own individual auto update mechanism for each app.

Remember that every app can be a vector for attack, be extra vigilant.